US President Inauguration Day 55% Special Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 63r59951

CISA Certified Information Systems Auditor Questions and Answers

Questions 4

What is the MOST critical finding when reviewing an organization's information security management?

Options:

A.

No periodic assessments to identify threats and vulnerabilities

B.

No dedicated security officer

C.

No employee awareness training and education program

D.

No official charter for the information security management system

Buy Now
Questions 5

What is the PRIMARY purpose of performing a parallel run of a new system?

Options:

A.

To provide a failover plan in case of system Issues.

B.

To validate the operation of the new system against its predecessor.

C.

To verify the new system can process the production load

D.

To verify the new system provides required business functionality

Buy Now
Questions 6

Which of the following should be the MOST important consideration when prioritizing IS audit activities

Options:

A.

The complexity level of the audit procedure

B.

The criticality of IT processes for the business function

C.

Process owner availability during the audit

D.

The number of audit team members required for the task

Buy Now
Questions 7

Which of the following is a KEY consideration to ensure the availability of nodes in an active-active application cluster configuration?

Options:

A.

The duster agent software used is open source

B.

Some of the nodes are located in the same city.

C.

Adequate storage exists across all nodes.

D.

Network encryption exists between nodes

Buy Now
Questions 8

What is an IS auditor's BEST recommendation to strengthen security guidelines in order to prevent data leakage from the use of smart devices?

Options:

A.

Include usage restrictions for smart devices in the security procedures.

B.

Require employees to formally acknowledge security procedures.

C.

Review the access logs to the organization's sensitive data in a timely manner.

D.

Enforce strong security settings on smart devices.

Buy Now
Questions 9

During an audit of an organizations intranet, it is discovered that users are not deleting their local web Browser caches on a regular basis This practice will result In the risk of

disclosure of information

Options:

A.

reputation

B.

data incompleteness

C.

data incompleteness

D.

lack of data integrity

Buy Now
Questions 10

An organization plans to deploy Wi-Fi location analytics to count the number of shoppers per day across its various retail outlets. What should the IS auditor recommend as the FIRST course of action by IT management?

Options:

A.

Develop a privacy notice to be displayed to shoppers

B.

Mask media access control (MAC) addresses

C.

Conduct a privacy impact assessment

D.

Survey shoppers for feedback

Buy Now
Questions 11

Which of the following provides the BEST indication that IT key performance indicators (KPls) are Integrated into management practices?

Options:

A.

KPls are reviewed on a periodic basis.

B.

All relevant parties are involved in the design of KPls

C.

KPls are communicated lo stakeholders

D.

IT KPls include business metrics

Buy Now
Questions 12

Which of the following Is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Options:

A.

Enforcement of an internal data access policy

B.

Application of single sign-on for access control

C.

Enforcement of the use of digital signatures

D.

Implementation of segregation of duties

Buy Now
Questions 13

A system undergoing acceptance testing is still subject to programming changes. This should have been prohibited in the acceptance test strategy through specifications of:

Options:

A.

exit criteria

B.

stress testing.

C.

stopping criteria

D.

entry criteria

Buy Now
Questions 14

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Options:

A.

Mandatory holidays

B.

Background checks

C.

Transaction log review

D.

User awareness training

Buy Now
Questions 15

In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

Options:

A.

transaction tagging

B.

parallel simulation.

C.

integrated test facility (ITF)

D.

embedded audit modules.

Buy Now
Questions 16

A system was recently promoted to the production environment. An IS auditor has been asked by senior management to update the annual IT audit plan. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Update the risk assessment to include the new system.

B.

Contract with a third party to conduct an audit of the new system.

C.

Maintain the plan with no changes and perform a separate review of the new system

D.

Update the audit plan to include the new system

Buy Now
Questions 17

During a post-implementation review, a step in determining whether a project met user requirements is to review the:

Options:

A.

completeness of user documentation.

B.

integrity of key calculations.

C.

effectiveness of user training.

D.

change requests initiated after go-live.

Buy Now
Questions 18

An IS auditor is assessing a recent migration of mission critical applications to a virtual platform. Which of the following observations poses the GREATEST risk to the organization?

Options:

A.

The migration was not approved by the board of directors.

B.

Training for staff with new virtualization responsibilities has not been conducted.

C.

Role descriptions do not accurately reflect new virtualization responsibilities.

D.

A post-implementation review of the hypervisor has not yet been conducted.

Buy Now
Questions 19

An IS auditor is reviewing an organization's sales and purchasing system due to ongoing data quality issues. An analysis of which of the following would provide the MOST useful formation to determine the revenue loss?

Options:

A.

Correlation between data errors and loss in value of transaction

B.

Correlation between the number of issues and average downtime

C.

Cost of implementing data validation controls within the system

D.

Comparison of the cost of data acquisition and loss in sales revenue

Buy Now
Questions 20

Which of the following is the GREATEST benefit of implementing an IT governance strategy within an organization?

Options:

A.

IT projects are delivered on time and under budget

B.

Management is aware of IT-related risks.

C.

Employees understand roles and responsibilities

D.

Reporting and metrics become higher priority.

Buy Now
Questions 21

Which of the following is the GREATEST risk of cloud computing?

Options:

A.

Lack of scalability

B.

Reduced performance

C.

Disclosure of data

D.

Inflexibility

Buy Now
Questions 22

As part of a follow-up of a previous year’s audit, an IS auditor has increased the expected error rate for a sample. The impact will be:

Options:

A.

required sample size increases.

B.

sampling risk decreases.

C.

degree of assurance increases.

D.

standard deviation decreases.

Buy Now
Questions 23

To preserve chain-of-custody following an internal server compromise, which of the following should be the FIRST step?

Options:

A.

Trace the attacking route.

B.

Replicate the attack using the remaining evidence.

C.

Take a system image including memory dump.

D.

Safely shut down the server.

Buy Now
Questions 24

An IS auditor is assigned to review the development of a specific application. Which of the following would be the MOST significant step following the feasibility study?

Options:

A.

Attend project progress meetings to monitor timely implementation of the application.

B.

Assist users in the design of proper acceptance-testing procedures.

C.

Follow up with project sponsor for project's budgets and actual costs.

D.

Review functional design to determine that appropriate controls are planned.

Buy Now
Questions 25

During the course of an audit, an IS auditor's organizational independence is impaired. The IS auditor should FIRST

Options:

A.

inform senior management in writing and proceed with the audit

B.

inform audit management of the situation.

C.

proceed with the audit as planned after documenting the incident.

D.

obtain the auditee s approval before continuing the audit.

Buy Now
Questions 26

Which of the following test approaches would utilize data analytics to validate customer authentication controls for banking transactions?

Options:

A.

Evaluate configuration settings for transactions requiring customer identification.

B.

Review the business requirements document for customer identification requirements.

C.

Review transactions completed for one period that have blank customer identification fields.

D.

Attempt to complete a monetary transaction and leave the customer identification fields blank.

Buy Now
Questions 27

To create a digital signature in a message using asymmetric encryption, it is necessary to:

Options:

A.

First use a symmetric algorithm for the authentication sequence.

B.

encrypt the authentication sequence using a public key.

C.

transmit the actual digital signature in unencrypted clear text.

D.

encrypt the authentication sequence using a private key.

Buy Now
Questions 28

Which of the following would BEST provide executive management with current information on IT related costs and IT performance indicators?

Options:

A.

Risk register

B.

IT service management plan

C.

Continuous audit reports

D.

IT dashboard

Buy Now
Questions 29

An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor s BEST course of

action?

Options:

A.

Examine the computer to search for evidence supporting the suspicions.

B.

Notify local law enforcement of the potential crime before further investigation.

C.

Advise management of the crime after the investigation.

D.

Contact the incident response team to conduct an investigation.

Buy Now
Questions 30

When determining the specifications for a server supporting an online application using more than a hundred endpoints, which of the following is the MOST important factor to be Considered?

Options:

A.

Cost-benefit comparison between the available systems

B.

High availability of different systems

C.

Transaction volume estimate during peak periods

D.

Reputation of the vendors and their customer base

Buy Now
Questions 31

An IS auditor is reviewing the results of a business process improvement project. Which of the following should

be performed FIRST?

Options:

A.

Evaluate control gaps between the old and the new processes.

B.

Develop compensating controls.

C.

Document the impact of control weaknesses in the process.

D.

Ensure that lessons learned during the change process are documented.

Buy Now
Questions 32

An IS auditor previously worked in an organization s IT department and was involved with the design of the business continuity plan (BCP). The IS

auditor has now been asked to review this same BCP. The auditor should FIRST.

Options:

A.

document the conflict in the audit report.

B.

decline the audit assignment.

C.

communicate the conflict of interest to the audit manager prior to starting the assignment.

D.

communicate the conflict of interest to the audit committee prior to starting the assignment

Buy Now
Questions 33

TION NO: 93

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post implementation review, which of the following would be the KEY procedure for the IS auditor to perform?

Options:

A.

Review system documentation to ensure completeness.

B.

Ensure that a detection system designed to verify transaction accuracy is included.

C.

Review input and output control reports to verify the accuracy of the system decisions.

D.

Review signed approvals to ensure responsibilities for decisions of the system are welldefined.

Buy Now
Questions 34

The purpose of data migration testing is to validate data:

Options:

A.

retention.

B.

completeness.

C.

availability.

D.

confidentiality.

Buy Now
Questions 35

An organization with high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important?

Options:

A.

False-identification rate (FIR)

B.

Equal-error rate (EER)

C.

False-rejection rate (FRR)

D.

False-acceptance rate (FAR)

Buy Now
Questions 36

During an audit, it is discovered that several suppliers with standing orders have been deleted from the supplier master file. Which of the following controls would have BEST prevented such an occurrence?

Options:

A.

Logical relationship check

B.

Table look-ups

C.

Existence check

D.

Referential integrity

Buy Now
Questions 37

An IS auditor has identified that some IT staff have administrative access to the enterprise resource planning (ERP) application, database, and

server. IT management has responded that due to limited resources, the same IT staff members have to support all three layers of the ERP

application. Which of the following would be the auditor's BEST recommendation to management?

Options:

A.

Monitor activities of the associated IT staff members by reviewing system-generated logs weekly.

B.

Request funding to hire additional IT staff to enable segregation of duties.

C.

Remove some of the administrative access of the associated IT staff members.

D.

Leverage business unit personnel to serve as administrators of the application.

Buy Now
Questions 38

Which of the following is the MAIN purpose of implementing an incident response process?

Options:

A.

Assign roles and responsibilities

B.

Comply with policies and procedures.

C.

Provide substantial audit-trail evidence.

D.

Manage impact due to breaches.

Buy Now
Questions 39

An IS auditor is reviewing the process followed in identifying and prioritizing the critical business processes. This process is part of the:

Options:

A.

operations component of the business continuity plan (BCP).

B.

enterprise risk management plan.

C.

balanced scorecard.

D.

business impact analysis (BIA).

Buy Now
Questions 40

The risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?

Options:

A.

Prevention

B.

Inherent

C.

Detection

D.

Control

Buy Now
Questions 41

Which of the following is the GREATEST risk posed by denial-of-service attacks?

Options:

A.

Confidential information leakage

B.

Unauthorized access to the systems

C.

Loss of integrity and corruption of databases

D.

Loss of reputation and business

Buy Now
Questions 42

During a post-incident review of a security breach, what type of analysis should an IS auditor expect to be

performed by the organization's information security team?

Options:

A.

Gap analysis

B.

Business impact analysis (BIA)

C.

Qualitative risk analysis

D.

Root cause analysis

Buy Now
Questions 43

Which of the following is MOST important for the successful establishment of a security vulnerability

management program?

Options:

A.

A comprehensive asset inventory

B.

A tested incident response plan

C.

An approved patching policy

D.

A robust tabletop exercise plan

Buy Now
Questions 44

As part of a quality assurance initiative, an organization has engaged an external auditor to evaluate the internal IS audit function. Which of the following observations should be of MOST concern?

Options:

A.

The audit team is not sufficiently leveraging data analytics.

B.

Audit reports are not approved by the audit committee.

C.

Audit reports do not state they are conducted in accordance with industry standards.

D.

Audit engagements are not risk-based.

Buy Now
Questions 45

During audit planning, an IS auditor walked through the design of controls related to a new data loss prevention tool. It was noted that the tool will be configured to alert IT management when large files are sent outside of the organization via email. What type of control will be tested?

Options:

A.

Detective

B.

Corrective

C.

Directive

D.

Preventive

Buy Now
Questions 46

In which of the following cloud service models does the user organization have the GREATEST control over the accuracy of configuration items in its configuration management database (CMDB)?

Options:

A.

Software as a Service (SaaS)

B.

Database as a Service (DbaaS)

C.

Infrastructure as a Service (laaS)

D.

Platform as a Service (PaaS)

Buy Now
Questions 47

The MOST effective method for an IS auditor to determine which controls are functioning in an operating system is to:

Options:

A.

Compare the current configuration to the corporate standard

B.

Consult with the vendor of the system

C.

Compare the current configuration to the default configuration

D.

Consult with the systems programmer

Buy Now
Questions 48

An IS auditor finds that corporate mobile devices used by employees have varying levels of password settings. Which of the following would be the BEST recommendation?

Options:

A.

Update the acceptable use policy for mobile devices.

B.

Encrypt data between corporate gateway and devices.

C.

Notify employees to set passwords to a specified length

D.

Apply security policy to the mobile devices.

Buy Now
Questions 49

A multinational organization is integrating its existing payroll system with a human resource information system. Which of the following should be of GREATEST concern to the IS auditor?

Options:

A.

Application interfaces

B.

Scope creep

C.

System documentation

D.

Currency conversion

Buy Now
Questions 50

Which of the following is the MOST important step in the development of an effective IT governance action plan?

Options:

A.

Setting up an IT governance framework for the process

B.

Conducting a business impact analysis (BIA)

C.

Measuring IT governance key performance indicators (KPIs)

D.

Preparing a statement of sensitivity

Buy Now
Questions 51

During the planning stage of compliance audit, an IS auditor discovers that the bank’s inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What would the auditor do FIRST?

Options:

A.

Exclude recent regulatory changes from the audit scope

B.

Discuss potential regulatory issues with the legal department

C.

Ask management why the regulatory changes have not been included

D.

Report the missing regulatory updates to the chief information officer (CIO)

Buy Now
Questions 52

An IS auditor is planning a risk-based audit of the human resources department. The department uses separate systems for its payroll, training

and employee performance review functions. What should the IS auditor do FIRST before identifying the key controls to be tested?

Options:

A.

Determine the inherent risk related to each system.

B.

Determine the number of samples to be tested for each system.

C.

Assess the control risk associated with each system.

D.

Identify the technical skills and resources needed to audit each system.

Buy Now
Questions 53

Which of the following is the KST source of information for assessing the effectiveness of IT process monitoring?

Options:

A.

Real-time audit software

B.

Performance data

C.

Quality assurance (QA) reviews

D.

Participative management techniques

Buy Now
Questions 54

An IS auditor determines that a business impact analysis (BIA) was not conducted during the development of a

business continuity plan (BCP). What is the MOST significant risk that could result from this situation?

Options:

A.

Responsibilities are not property defined.

B.

Recovery time objectives (RTOs) are not correctly determined.

C.

Key performance indicators (KPIs) are not aligned.

D.

Critical business applications are not covered.

Buy Now
Questions 55

Which of the following concerns is BEST addressed by securing production source libraries?

Options:

A.

Unauthorized changes can be moved into production.

B.

Changes are applied to the wrong version of production source libraries.

C.

Production source and object libraries may not be synchronized.

D.

Programs are not approved before production source libraries are updated.

Buy Now
Questions 56

An audit report notes that terminated employees have been retaining their access rights after their departure.

Which of the following strategies would BEST ensure that obsolete access rights are identified in a timely

manner?

Options:

A.

Delete user IDs at a predetermined date after their creation.

B.

Automatically delete user IDs after they are unused for a predetermined time.

C.

Implement an automated interface with the organization’s human resources system.

D.

Require local supervisors to initiate connection.

Buy Now
Questions 57

An organization is considering replacing physical backup tapes stored offsite with real-time on-line backup to a storage area network (SAN) located in the primary data center. Which of the following is the GREATEST risk?

Options:

A.

Backups may require excessive storage space.

B.

Implementation could cause significant cost increases.

C.

Archived data may not satisfy data retention requirements.

D.

A single disaster could cause significant data loss

Buy Now
Questions 58

Which the following is MOST critical for the effective implementation of IT governance?

Options:

A.

Documented policies

B.

Strong risk management practices

C.

Internal auditor commitment

D.

Supportive corporate culture

Buy Now
Questions 59

An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Options:

A.

Data tokenization

B.

Data abstraction

C.

Data masking

D.

Data encryption

Buy Now
Questions 60

Which of the following observations should be of concern to an is auditor in the fieldwork stage of a procurement audit?

Options:

A.

Purchase commitments are made prior to requisitions being approved.

B.

Requisitions are being facilitated by a third-party procurement service.

C.

Requisitions are being processed by the finance team.

D.

The purchase requester receives notifications of goods delivery.

Buy Now
Questions 61

Which of the following should an IS auditor recommend to facilitate the management of baseline requirements for hardening of firewalls?

Options:

A.

Configuration management

B.

Release management

C.

Capacity management

D.

Patch management

Buy Now
Questions 62

What is the PRIMARY reason for including a clause requiring source code escrow in an application vendor agreement?

Options:

A.

Ensure the source code remains available.

B.

Protect the organization from copyright disputes.

C.

Segregate system development and live environments.

D.

Ensure source code changes are recorded.

Buy Now
Questions 63

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

Options:

A.

Complexity of business processes identified in the audit

B.

Peak activity periods for the business

C.

Remediation dates included m management responses

D.

Availability of IS audit resources

Buy Now
Questions 64

During a vulnerability assessment, an IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer orders via credit card. The IS auditor could FIRST:

Options:

A.

notify management.

B.

document the finding in the report

C.

redesign the customer order process.

D.

suspend credit card processing.

Buy Now
Questions 65

Which of the following would be of GREATEST concern to an IS auditor reviewing an organization's security incident handling procedures?

Options:

A.

Annual tabletop exercises are performed instead of functional incident response exercises.

B.

Roles for computer emergency response learn (CERT) members have not been formally documented.

C.

Workstation antivirus software alerts are not regularly reviewed.

D.

Guidelines for prioritizing incidents have not been identified.

Buy Now
Questions 66

A security regulation requires the disabling of direct administrator access. Such access must occur through an intermediate server that holds administrator passwords for all systems d records all actions. An IS auditor s PRIMARY concern with this solution would be that:

Options:

A.

it represents a single point of failure

B.

segregation of duties is not observed.

C.

it is not feasible to implement

D.

access logs may not be maintained

Buy Now
Questions 67

Which of the following is an advantage of using electronic data interchange (EDI)?

Options:

A.

Data validation is provided by the service provider.

B.

Contracts with the vendors are simplified.

C.

Multiple inputs of the same document are allowed at different locations.

D.

Transcription of information is reduced.

Buy Now
Questions 68

An IS auditor is reviewing environmental controls and finds extremely high levels of humidity in the data center. Which of the following is the PRIMARY risk to computer equipment from this condition?

Options:

A.

Corrosion

B.

Static electricity

C.

Brownout

D.

Fire

Buy Now
Questions 69

Which of the following IS audit findings should be of GREATEST concern when preparing to migrate to a new core system using a direct cut-over?

Options:

A.

informal management approval to 90 live

B.

Lack of a rollback strategy for the system go-live

C.

Plans to use some workarounds for an extended period after go-live

D.

incomplete test cases for some critical reports

Buy Now
Questions 70

An IT department installed critical patches provided by the vendor to HR production servers. Immediately after the installation was completed, the HR department called to report that none of its users could access the system, what should be the IT department's FIRST step in addressing this issue?

Options:

A.

Follow back-out procedures

B.

Troubleshoot the system and fix the issue.

C.

Run system diagnostics on the staging servers.

D.

Document the calls and user issues.

Buy Now
Questions 71

In an online application, which of the following would provide the MOST information about the transaction audit

trail?

Options:

A.

File layouts

B.

System/process flowchart

C.

Source code documentation

D.

Data architecture

Buy Now
Questions 72

Which of the following is a prerequisite to help ensure that IS hardware and software support the delivery of mission-critical functions?

Options:

A.

Control over IS infrastructure expenditure

B.

A comprehensive IS applications architecture

C.

Documented emergency change procedures

D.

An independent audit of the process

Buy Now
Questions 73

Which of the following is the GREATEST benefit of implementing an incident management process?

Options:

A.

Reduction in security threats

B.

Opportunity for frequent reassessment of incidents

C.

Reduction in the business impact of incidents

D.

Reduction of cost by the efficient use of resources

Buy Now
Questions 74

Which of the following is the BEST indication of the completeness of interface control documents used for the development of a new application?

Options:

A.

All documents have been reviewed by end users.

B.

All inputs and outputs for potential actions are included.

C.

Both successful and failed interface data transfers are recorded.

D.

Failed interface data transfers prevent subsequent processes.

Buy Now
Questions 75

Which of the following is an analytical review procedure for a payroll system?

Options:

A.

Evaluating the performance of the payroll system using benchmarking software

B.

Testing hours reported on time sheets

C.

Performing penetration attempts on the payroll system

D.

Performing reasonableness tests by multiplying the number of employees by the average wage rate

Buy Now
Questions 76

Which of the following would BEST prevent data from being orphaned?

Options:

A.

Input validation checks

B.

Table partitioning

C.

Table indexes

D.

Referential integrity

Buy Now
Questions 77

Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?

Options:

A.

Approving the design of controls for the data center

B.

Performing independent reviews of responsible parties engaged in the project

C.

Shortlisting vendors to perform renovations

D.

Ensuring the project progresses as scheduled and milestones are achieved

Buy Now
Questions 78

Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the

following would provide the MOST assurance to the IS auditor that management is adequately balancing the

needs of the business with the need to manage risk?

Options:

A.

Established criteria exist for accepting and approving risk.

B.

Identified risk is reported into the organization’s risk committee.

C.

Potential impact and likelihood is adequately documented.

D.

A communication plan exists for informing parties impacted by the risk.

Buy Now
Questions 79

An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

Options:

A.

The Implementation of a security awareness.

B.

System administration can be better managed.

C.

Administrative security can be provided for the client.

D.

Desktop application software will never have to be upgraded.

Buy Now
Questions 80

Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up

activities for agreed-upon management responses to remediate audit observations?

Options:

A.

Business interruption due to remediation

B.

IT budgeting constraints

C.

Risk rating of original findings

D.

Availability of responsible IT personnel

Buy Now
Questions 81

When preparing to evaluate the effectiveness of an organizations IT strategy, an IS auditor should FIRST review;

Options:

A.

the IT governance framework.

B.

the IT processes and procedures.

C.

Information security procedures.

D.

the most recent audit results.

Buy Now
Questions 82

Which of the following would represent an acceptable test of an organization s business continuity plan?

Options:

A.

Full test of computer operations at an emergency site

B.

Paper test involving functional areas

C.

Benchmarking the plan against similar organizations

D.

Walk-through of the plan with technology suppliers

Buy Now
Questions 83

Which of the following should be an IS auditor's PRIMARY consideration when reviewing a project to outsource data center hosting services?

Options:

A.

Regulatory requirements regarding the location of data

B.

Adherence to industry standards for ensuring integrity of data

C.

The vendor's ability to meet established service level agreements (SLAs)

D.

Existence of a right-to-audit clause in the vendor agreement

Buy Now
Questions 84

Which of the following should an IS auditor expect to see in a network vulnerability assessment?

Options:

A.

Misconfiguration and missing updates

B.

Malicious software and spyware

C.

Zero-day vulnerabilities

D.

Security design flaws

Buy Now
Questions 85

An IS auditor auditing the effectiveness of utilizing a hot site will MOST likely:

Options:

A.

review reciprocal agreements

B.

review logical access controls

C.

evaluate physical access control

D.

analyze system restoration procedures

Buy Now
Questions 86

Which of the following findings should be of GREATEST concern to an IS auditor conducting a forensic analysis following incidents of suspicious activities on a server?

Options:

A.

Audit logs are not enabled on the server.

B.

The server is outside the domain.

C.

The server's operating system is outdated.

D.

Most suspicious activities were created by system IDs.

Buy Now
Questions 87

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Options:

A.

Legal and compliance requirements

B.

Customer agreements

C.

Organizational policies and procedures

D.

Data classification

Buy Now
Questions 88

An organization is in the process of rolling out a new inventory software tool to replace a suite of verified individual spreadsheet-based inventory solutions. Which of the following is MOST important to help ensure ongoing data integrity within the new inventory tool?

Options:

A.

Restricting edit access for the new tool to data owners only

B.

Ensuring data quality at the point of data entry

C.

Requiring key inventory data points to be mandatory fields in the new tool

D.

Conducting a post-migration quality assurance review

Buy Now
Questions 89

Which of the following is the BEST development methodology to help manage project requirements in a rapidly changing environment?

Options:

A.

Prototyping

B.

Iterative development process

C.

Object-oriented system development

D.

Waterfall development process

Buy Now
Questions 90

An IS auditor is performing a routine procedure to test for the possible existence of fraudulent transactions.

Given there is no reason to suspect the existence of fraudulent transactions, which of the following data

analytics techniques should be employed?

Options:

A.

Association analysis

B.

Classification analysis

C.

Anomaly detection analysis

D.

Regression analysis

Buy Now
Questions 91

Which of the following is the PRIMARY criterion for identifying an incident severity level?

Options:

A.

Data integrity

B.

Speed of recovery

C.

Time to recognition

D.

Impact on business

Buy Now
Questions 92

When evaluating a protect immediately prior to implementation, which of the following would provide the BEST evidence that the system has the required functionality?

Options:

A.

User acceptance testing (UAT) results

B.

Quality assurance (QA) results

C.

Integration testing results

D.

Sign-off from senior management

Buy Now
Questions 93

An IS audit of an organization's data classification policies finds some areas of the policies may not be up-to-date with new data privacy regulations What should management do FIRST to address the risk of noncompliance?

Options:

A.

Conduct a privacy impact assessment to identify gaps

B.

Declassify information based on revised information classification labels.

C.

Mandate training on the new privacy regulations.

D.

Perform a data discovery exercise to identify all personal data

Buy Now
Questions 94

While reviewing an independent audit report of a service provider, an IS auditor notes that the report includes a reference to a vice organization that provides data center hosting services. Which of the following is the MOST efficient way for the auditor assess the data center's physical access controls?

Options:

A.

Ask the service provider for an independent audit report covering the subservice organization's data center

B.

Ask the service provider for a copy of the subservice organization's data center physical security policy

C.

Engage a third party to audit physical access controls at the subservice Organization

D.

Visit the data center and perform testing over physical access controls at the 'service organization

Buy Now
Questions 95

Which of the following BEST demonstrates to an IS auditor that an organization has implemented effective risk management processes?

Options:

A.

Critical business assets have additional controls.

B.

The risk register is reviewed periodically.

C.

A business impact analysis (BIA) has been completed.

D.

The inventory of IT assets includes asset classification.

Buy Now
Questions 96

Which of the following is MOST important to consider when creating audit follow-up procedures?

Options:

A.

Whether follow-up procedures would determine if identified risks have been mitigated

B.

Whether the auditee has allotted sufficient time for the follow-up

C.

Whether management has determined if risk is within the organization's risk appetite

D.

Whether the organization has sufficient funds to address the issue

Buy Now
Questions 97

Which of the following risk management activities is MOST important to complete before implementing an enterprise resource planning (ERP) system?

Options:

A.

Optimize business process designs

B.

Validate compliance with applicable local financial regulations.

C.

Define the organization's control objectives.

D.

Appoint an independent risk advisory firm to provide support.

Buy Now
Questions 98

A recent audit concluded that an organization’s information security system was weak and that monitoring would likely fail to detect penetration. Which of the following would be the MOST appropriate recommendation?

Options:

A.

Identify and periodically remove sensitive data that is no longer needed

B.

Look continually for new criminal behavior and attacks on sensitive data

C.

Encrypt sensitive data while strengthening the system

D.

Establish a clear policy related to security and the handling of sensitive data

Buy Now
Questions 99

During an annual audit an IS auditor finds there is no written department and users The auditor's FIRST step should be to:

Options:

A.

recommend drafting a service level agreement (SLA)

B.

determine the Impact of the issue

C.

report the issue to senior management

D.

document the issue in the final report

Buy Now
Questions 100

When would an IS auditor expect to see testing completed for a protect using agile methodology?

Options:

A.

After the requirements phase

B.

Just before a major release

C.

Parallel to the development activity

D.

At the end of development

Buy Now
Questions 101

What would be an IS auditor's BEST course of action when a critical issue outside the audit scope is discovered on an employee workstation?

Options:

A.

Record the observation in the workpapers.

B.

Take no action as this issue is outside the audit scope.

C.

Include the finding with recommendations in the final report.

D.

Expand the audit scope to include desktop audits.

Buy Now
Questions 102

An IS auditor is conducting a pre-implementation review to determine a new system's production readiness. The auditor's PRIMARY concern should be whether:

Options:

A.

benefits realization has been evidenced

B.

there are unresolved high-risk items

C.

the project adhered to the budget and target date.

D.

users were involved in the quality assurance (QA) testing.

Buy Now
Questions 103

When reviewing an organization's security awareness program, it is MOST important to verify that training occurs:

Options:

A.

on a continual basis.

B.

within the first few months of employment.

C.

before access to information is granted.

D.

whenever security policies are updated.

Buy Now
Questions 104

Which of the following is the MOST critical element impacting the success of an information security program?

Options:

A.

Mandatory information security awareness training

B.

Senior management commitment to information security initiatives

C.

Implementation of industry-standard information security tools

D.

Adequate budget to support the information security strategy

Buy Now
Questions 105

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at rest?

Options:

A.

Short key length

B.

Random key generation

C.

Use of asymmetric encryption

D.

Use of symmetric encrypt

Buy Now
Questions 106

What is the PRIMARY reason for hardening new devices before introducing into a corporate network?

Options:

A.

To comply with organization polices

B.

To prevent users from installing unlicensed software

C.

To reduce exposure to security risk

D.

To reduce unnecessary downtime

Buy Now
Questions 107

Which of the following should be included in a business impact analysis (BIA)

Options:

A.

identification of IT resources that support key business processes

B.

Recovery strategy for significant business interruptions

C.

Support documentation for the recovery alternative

D.

Roles and responsibilities for the business continuity process

Buy Now
Questions 108

The practice of performing backups reflects which type of internal control?

Options:

A.

Preventive

B.

Detective

C.

Corrective

D.

Compensating

Buy Now
Questions 109

In which of the following sampling methodologies does each member of the population have a known nonzero probability of being selected?

Options:

A.

Stratified sampling

B.

Haphazard sampling

C.

Quota sampling

D.

Judgmental sampling

Buy Now
Questions 110

An organization experienced a domain name system (DNS) attack caused by default user accounts not being removed from one of the servers. Which of the following would have been the BEST way to mitigate the risk of this DNS attack1?

Options:

A.

Configure the servers from an approved standard configuration

B.

Require all employees to attend training for secure configuration management

C.

Have a third party configure the virtual servers

D.

Configure the intrusion prevention system (IPS) to identify DNS attacks

Buy Now
Questions 111

Which of the following backup schemes is the BEST option when storage media is limited?

Options:

A.

Virtual backup

B.

Real-time backup

C.

Full backup

D.

backup Differential

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Jan 17, 2021
Questions: 857

PDF + Testing Engine

$112.05  $249

Testing Engine

$101.25  $225

PDF (Q&A)

$89.55  $199